From owner-svn-ports-head@freebsd.org Thu Jul 30 04:32:25 2020 Return-Path: Delivered-To: svn-ports-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0AF4F377F05; Thu, 30 Jul 2020 04:32:25 +0000 (UTC) (envelope-from tcberner@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BHHZJ6ZlGz3SQ0; Thu, 30 Jul 2020 04:32:24 +0000 (UTC) (envelope-from tcberner@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C67E0B45D; Thu, 30 Jul 2020 04:32:24 +0000 (UTC) (envelope-from tcberner@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 06U4WOKg079663; Thu, 30 Jul 2020 04:32:24 GMT (envelope-from tcberner@FreeBSD.org) Received: (from tcberner@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 06U4WOiT079662; Thu, 30 Jul 2020 04:32:24 GMT (envelope-from tcberner@FreeBSD.org) Message-Id: <202007300432.06U4WOiT079662@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: tcberner set sender to tcberner@FreeBSD.org using -f From: "Tobias C. Berner" Date: Thu, 30 Jul 2020 04:32:24 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r543704 - head/archivers/ark/files X-SVN-Group: ports-head X-SVN-Commit-Author: tcberner X-SVN-Commit-Paths: head/archivers/ark/files X-SVN-Commit-Revision: 543704 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2020 04:32:25 -0000 Author: tcberner Date: Thu Jul 30 04:32:24 2020 New Revision: 543704 URL: https://svnweb.freebsd.org/changeset/ports/543704 Log: archivers/ark: security fix KDE Project Security Advisory ============================= Title: Ark: maliciously crafted archive can install files outside the extraction directory. Risk Rating: Important CVE: CVE-2020-16116 Versions: ark <= 20.04.3 Author: Elvis Angelaccio Date: 30 July 2020 Overview ======== A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction. Proof of concept ================ For testing, an example of malicious archive can be found at https://github.com/jwilk/traversal-archives/releases/download/0/relative2.zip Impact ====== Users can unwillingly install files like a modified .bashrc, or a malicious script placed in ~/.config/autostart Workaround ========== Users should not use the 'Extract' context menu from the Dolphin file manager. Before extracting a downloaded archive using the Ark GUI, users should inspect it to make sure it doesn't contain entries with "../" in the file path. Solution ======== Ark 20.08.0 prevents loading of malicious archives and shows a warning message to the users. Alternatively, https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f can be applied to previous releases. Credits ======= Thanks to Dominik Penner for finding and reporting this issue and thanks to Elvis Angelaccio and Albert Astals Cid for fixing it. Added: head/archivers/ark/files/ head/archivers/ark/files/patch-git_0d5952 (contents, props changed) Added: head/archivers/ark/files/patch-git_0d5952 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/archivers/ark/files/patch-git_0d5952 Thu Jul 30 04:32:24 2020 (r543704) @@ -0,0 +1,46 @@ +From 0df592524fed305d6fbe74ddf8a196bc9ffdb92f Mon Sep 17 00:00:00 2001 +From: Elvis Angelaccio +Date: Wed, 29 Jul 2020 23:45:30 +0200 +Subject: [PATCH] Fix vulnerability to path traversal attacks + +Ark was vulnerable to directory traversal attacks because of +missing validation of file paths in the archive. + +More details about this attack are available at: +https://github.com/snyk/zip-slip-vulnerability + +Job::onEntry() is the only place where we can safely check the path of +every entry in the archive. There shouldn't be a valid reason +to have a "../" in an archive path, so we can just play safe and abort +the LoadJob if we detect such an entry. This makes impossibile to +extract this kind of malicious archives and perform the attack. + +Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath() +so that we can still allow loading of legitimate archives that +contain "../" in their paths but still resolve inside the extraction folder. +--- + kerfuffle/jobs.cpp | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kerfuffle/jobs.cpp b/kerfuffle/jobs.cpp +index fdaa48695..f73b56f86 100644 +--- kerfuffle/jobs.cpp ++++ kerfuffle/jobs.cpp +@@ -180,6 +180,14 @@ void Job::onError(const QString & message, const QString & details) + + void Job::onEntry(Archive::Entry *entry) + { ++ const QString entryFullPath = entry->fullPath(); ++ if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) { ++ qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath; ++ onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString()); ++ onFinished(false); ++ return; ++ } ++ + emit newEntry(entry); + } + +-- +GitLab +